ISS X-Force Database: mscs-owc-installer-permissions(9425): Microsoft Commerce Server OWC package installer folder permissions could allow remote command execution

Microsoft Commerce Server OWC package installer folder permissions could allow remote command execution

mscs-owc-installer-permissions (9425)

High Risk

Description:

Microsoft Commerce Server could allow a remote attacker to execute arbitrary commands on the system, caused by improper permissions on the folder containing the Office Web Components (OWC) package installer. A remote attacker with valid login credentials to the system running Commerce Server could pass arbitrary commands to the OWC package installer, which would be executed on the system under the privileges of the attacker's login credentials.

Platforms Affected:

Microsoft, Commerce Server 2000
Microsoft, Commerce Server 2002
Microsoft, IIS 5.0

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-033. See References.

Consequences:

Gain Access

References:

Microsoft Security Bulletin MS02-033, Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273) at http://www.microsoft.com/technet/security/bulletin/ms02-033.mspx.
NGSSoftware Insight Security Research Advisory #NISR03062002, Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 at http://archives.neohapsis.com/archives/bugtraq/2002-07/0030.html.
BID-5111: Microsoft Commerce Server 2000 OWC Package Installer Local Command Execution Vulnerability
CVE-2002-0622: The Office Web Components (OWC) package installer for Microsoft Commerce Server 2000 allows remote attackers to execute commands by passing the commands as input to the OWC package installer, aka OWC Package Command Execution.
OSVDB ID: 5170: Microsoft Commerce Server OWC Installer Arbitrary Command Execution

Reported:

Jun 26, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page